From 7c4e92ec33bfe50147c2d2d409f0eefb5eb44ae9 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Mon, 25 May 2026 07:24:31 +0530
Subject: [PATCH 1/2] fix: close TOCTOU race condition in claimRecommendation

Fixes #205

The previous implementation enforced the 3-claim cap with two independent
database round-trips: a COUNT query, then a separate UPDATE. Between those
two steps, a second concurrent request for the same user could also read
count < 3, pass the guard, and commit its own UPDATE. Sending multiple
claim requests in parallel (trivially via Promise.all) reproduced the bug
reliably -- the user ended up with more than 3 active claims.

Fix: replaced the two-step sequence with a call to a new database function,
claim_recommendation_atomic, added in migration 0012. The function merges
the count check and the write into a single UPDATE statement. The subquery
that evaluates the claim count and the row that gets written are handled
atomically by the database engine, so concurrent calls are serialised at
the row level and only one can succeed when the count is at the limit.

Migration 0012 (supabase/migrations/0012_claim_recommendation_atomic.sql):
  - Defines claim_recommendation_atomic(p_rec_id bigint, p_user_id uuid)
    returning TABLE(id bigint).
  - The UPDATE only proceeds if the caller's current claimed count is
    strictly less than 3 AND the target rec is still open. Zero rows
    returned covers both rejection cases (limit reached or rec not open).
  - SECURITY DEFINER with SET search_path = public prevents search-path
    injection.
  - GRANT EXECUTE given to both authenticated and service_role so server
    actions and background functions can call it without privilege changes.

recommendations.ts:
  - Removed the COUNT query and the subsequent maybeSingle UPDATE.
  - Added service.rpc('claim_recommendation_atomic', ...) in their place.
  - Interprets zero returned rows as a unified claim_limit_or_not_open
    error; the UI already re-fetches state on any error so the distinction
    between the two rejection reasons is not needed client-side.
  - data.id reference updated to claimedId extracted from the RPC result.
---
 src/app/actions/recommendations.ts            | 47 +++++++++---------
 .../0012_claim_recommendation_atomic.sql      | 48 +++++++++++++++++++
 2 files changed, 73 insertions(+), 22 deletions(-)
 create mode 100644 supabase/migrations/0012_claim_recommendation_atomic.sql

diff --git a/src/app/actions/recommendations.ts b/src/app/actions/recommendations.ts
index cd8253f..0a48575 100644
--- a/src/app/actions/recommendations.ts
+++ b/src/app/actions/recommendations.ts
@@ -112,29 +112,32 @@ export async function claimRecommendation(recId: number): Promise<Result<{ id: n
   });
   if (!rateRes.ok) return err('rate_limited', 'slow down', true);
 
-  // Enforce 3-claim limit: count currently claimed recs before allowing a new one.
-  const { count: claimedCount } = await service
-    .from('recommendations')
-    .select('id', { count: 'exact', head: true })
-    .eq('user_id', user.id)
-    .eq('status', 'claimed');
-  if ((claimedCount ?? 0) >= 3) {
-    return err('claim_limit', 'you already have 3 active claims - merge or close them first');
+  // Atomic claim: the count check and the write are merged into a single UPDATE
+  // inside claim_recommendation_atomic (see migration 0012). This eliminates the
+  // TOCTOU window that existed when they were separate round-trips -- concurrent
+  // requests can no longer both pass a count of 2 and both commit, because the
+  // subquery that evaluates the count and the row that gets written are handled
+  // atomically by the database engine.
+  //
+  // Zero rows returned means one of two things: the user already holds 3 active
+  // claims, or this specific rec is no longer open. Both outcomes are safe to
+  // surface with the same error because the UI re-fetches state after either.
+  const { data: rpcData, error: rpcErr } = await service.rpc(
+    'claim_recommendation_atomic',
+    { p_rec_id: recId, p_user_id: user.id },
+  );
+
+  if (rpcErr) return err('persist_failed', rpcErr.message);
+
+  const rows = rpcData as Array<{ id: number }> | null;
+  if (!rows || rows.length === 0) {
+    return err(
+      'claim_limit_or_not_open',
+      'claim rejected: you may already have 3 active claims, or this rec is no longer open',
+    );
   }
 
-  // Atomic claim: UPDATE ... WHERE status='open' AND user_id=auth.uid()
-  // Zero rows affected = already claimed or doesn't exist.
-  const { data, error: updateErr } = await service
-    .from('recommendations')
-    .update({ status: 'claimed', claimed_at: new Date().toISOString() })
-    .eq('id', recId)
-    .eq('user_id', user.id)
-    .eq('status', 'open')
-    .select('id')
-    .maybeSingle();
-
-  if (updateErr) return err('persist_failed', updateErr.message);
-  if (!data) return err('already_claimed', 'this rec is no longer open');
+  const claimedId = rows[0].id;
 
   // Invalidate cache so next dashboard load is fresh.
   await cacheDel(`recs:${user.id}`);
@@ -146,7 +149,7 @@ export async function claimRecommendation(recId: number): Promise<Result<{ id: n
     detail: { recId } as never,
   });
 
-  return ok({ id: data.id });
+  return ok({ id: claimedId });
 }
 
 const PR_URL_RE = /^https:\/\/github\.com\/[^/]+\/[^/]+\/pull\/\d+$/;
diff --git a/supabase/migrations/0012_claim_recommendation_atomic.sql b/supabase/migrations/0012_claim_recommendation_atomic.sql
new file mode 100644
index 0000000..a772a68
--- /dev/null
+++ b/supabase/migrations/0012_claim_recommendation_atomic.sql
@@ -0,0 +1,48 @@
+-- Migration: atomic claim function to close TOCTOU race condition (issue #205)
+--
+-- The previous TypeScript implementation enforced the 3-claim cap with a COUNT
+-- query followed by a separate UPDATE. Because these are two independent database
+-- round-trips, concurrent requests for the same user can both read count < 3,
+-- both pass the guard, and both commit, allowing a user to exceed 3 active claims.
+--
+-- This function moves both operations into a single UPDATE statement. The
+-- subquery that checks the count and the row that gets written are evaluated
+-- atomically by the database engine, so concurrent calls are serialised at
+-- the row level. If the count is already 3 when the UPDATE runs, zero rows
+-- are returned and the claim is rejected without a separate round-trip.
+
+CREATE OR REPLACE FUNCTION public.claim_recommendation_atomic(
+  p_rec_id  bigint,
+  p_user_id uuid
+)
+RETURNS TABLE(id bigint)
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  RETURN QUERY
+  UPDATE recommendations AS r
+  SET
+    status     = 'claimed',
+    claimed_at = now()
+  WHERE
+    r.id      = p_rec_id
+    AND r.user_id = p_user_id
+    AND r.status  = 'open'
+    AND (
+      SELECT COUNT(*)
+      FROM   recommendations r2
+      WHERE  r2.user_id = p_user_id
+        AND  r2.status  = 'claimed'
+    ) < 3
+  RETURNING r.id;
+END;
+$$;
+
+-- Grant execute to authenticated users (server actions run under their session)
+-- and to the service role (used by Inngest functions and webhook handlers).
+GRANT EXECUTE ON FUNCTION public.claim_recommendation_atomic(bigint, uuid)
+  TO authenticated;
+GRANT EXECUTE ON FUNCTION public.claim_recommendation_atomic(bigint, uuid)
+  TO service_role;

From 03563ec63481bb7c89267acb4842ba2e8cc2deac Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Mon, 25 May 2026 07:39:33 +0530
Subject: [PATCH 2/2] fix: stop embedding OAuth token in Inngest audit event
 payload

bootstrapProfile was passing the user's live GitHub OAuth provider token
directly inside inngest.send() for the audit/run event. Inngest persists
event payloads to third-party cloud storage, so this exposed long-lived
credentials outside the application's trust boundary.

The audit-run function already supports a three-tier auth fallback:
1. installationId from the event (minted into a short-lived install token
   at execution time)
2. Live DB lookup of github_installations at execution time
3. accessToken from the event (legacy path, retained for backward compat)

bootstrapProfile now looks up the user's active installation at event-send
time and passes installationId instead of accessToken. If no installation
exists yet (common at first login), installationId is omitted and the
function performs the DB lookup at execution time, by which point the
install webhook will typically have landed.

Also removes the getSession() call that was only needed to retrieve the
provider token, and fixes a TypeScript strict-null error in
claimRecommendation (rows[0] after an explicit length guard).

Closes #204
---
 src/app/actions/profile.ts         | 38 ++++++++++++++++++++----------
 src/app/actions/recommendations.ts | 10 ++++----
 src/inngest/functions/audit-run.ts | 16 ++++++++-----
 3 files changed, 40 insertions(+), 24 deletions(-)

diff --git a/src/app/actions/profile.ts b/src/app/actions/profile.ts
index 7f80828..d928096 100644
--- a/src/app/actions/profile.ts
+++ b/src/app/actions/profile.ts
@@ -69,19 +69,31 @@ export async function bootstrapProfile(): Promise<Result<BootstrapOutput>> {
 
   let auditQueued = false;
   if (!profile.audit_completed) {
-    const providerToken = (await sb.auth.getSession()).data.session?.provider_token;
-    if (providerToken) {
-      await inngest.send({
-        name: 'audit/run',
-        data: {
-          userId: profile.id,
-          githubHandle: profile.github_handle,
-          githubId,
-          accessToken: providerToken,
-        },
-      });
-      auditQueued = true;
-    }
+    // Look up the user's active GitHub App installation. Passing the installation
+    // ID lets audit-run mint a short-lived install token at execution time rather
+    // than embedding a long-lived OAuth token in the Inngest event payload (which
+    // is persisted to third-party storage). If no installation exists yet the
+    // function performs the same DB lookup at execution time and may find one by
+    // then; if still nothing it exits cleanly with reason 'no_auth_source'.
+    const { data: installs } = await service
+      .from('github_installations')
+      .select('id')
+      .eq('user_id', profile.id)
+      .is('uninstalled_at', null)
+      .order('installed_at', { ascending: false })
+      .limit(1);
+    const installationId = (installs?.[0]?.id as number | undefined) ?? undefined;
+
+    await inngest.send({
+      name: 'audit/run',
+      data: {
+        userId: profile.id,
+        githubHandle: profile.github_handle,
+        githubId,
+        installationId,
+      },
+    });
+    auditQueued = true;
   }
 
   // Fire-and-forget maintainer discovery so this user picks up admin
diff --git a/src/app/actions/recommendations.ts b/src/app/actions/recommendations.ts
index 0a48575..1136b72 100644
--- a/src/app/actions/recommendations.ts
+++ b/src/app/actions/recommendations.ts
@@ -122,10 +122,10 @@ export async function claimRecommendation(recId: number): Promise<Result<{ id: n
   // Zero rows returned means one of two things: the user already holds 3 active
   // claims, or this specific rec is no longer open. Both outcomes are safe to
   // surface with the same error because the UI re-fetches state after either.
-  const { data: rpcData, error: rpcErr } = await service.rpc(
-    'claim_recommendation_atomic',
-    { p_rec_id: recId, p_user_id: user.id },
-  );
+  const { data: rpcData, error: rpcErr } = await service.rpc('claim_recommendation_atomic', {
+    p_rec_id: recId,
+    p_user_id: user.id,
+  });
 
   if (rpcErr) return err('persist_failed', rpcErr.message);
 
@@ -137,7 +137,7 @@ export async function claimRecommendation(recId: number): Promise<Result<{ id: n
     );
   }
 
-  const claimedId = rows[0].id;
+  const claimedId = rows[0]!.id;
 
   // Invalidate cache so next dashboard load is fresh.
   await cacheDel(`recs:${user.id}`);
diff --git a/src/inngest/functions/audit-run.ts b/src/inngest/functions/audit-run.ts
index 0f47d84..dc6eca9 100644
--- a/src/inngest/functions/audit-run.ts
+++ b/src/inngest/functions/audit-run.ts
@@ -11,15 +11,18 @@ const AUDIT_MAX_LEVEL = 2;
 
 /**
  * Audit pipeline. Fires once per user, ideally right after their GitHub App
- * install lands. Idempotent — duplicate runs silently no-op because xp_events
+ * install lands. Idempotent -- duplicate runs silently no-op because xp_events
  * has UNIQUE(user_id, source, ref_id) keyed off github_id.
  *
  * Auth precedence:
- *   1. event.data.accessToken (user OAuth token, freshly minted at sign-in)
- *      — used when audit is fired during the bootstrap flow.
- *   2. install token minted from event.data.installationId
- *      — used when audit is fired from the install webhook handler. Install
- *      tokens are minted on demand from the App JWT and don't expire on us.
+ *   1. installationId provided in the event -- an install token is minted on
+ *      demand from the App JWT. These are short-lived and never persist in
+ *      event storage, so they are preferred.
+ *   2. No installationId -- the function queries github_installations at
+ *      execution time. This covers the common case where the audit is queued
+ *      at bootstrap before the install webhook arrives.
+ *   3. accessToken -- retained for backward compatibility with events already
+ *      in the queue. New events no longer include this field.
  *
  * The function does everything in a single step.run so retries replay the
  * whole pipeline. Combined with the xp_events UNIQUE constraint, no zombie
@@ -31,6 +34,7 @@ type AuditEvent = {
     userId: string;
     githubHandle: string;
     githubId: string;
+    /** @deprecated No longer sent by bootstrap flow. Retained for events already in the queue. */
     accessToken?: string;
     installationId?: number;
   };